PowerShower PowerShell Backdoor
POWERSHOWER is a newly observed PowerShell-based backdoor believd to have been created by the Inception group, an advanced persistent threat targeting government organisations throughout Europe.
Inception uses a complex two stage spear phishing process to deliver POWERSHOWER. Initially, a reconnaissance email with a Microsoft Word attachment is sent to the user. This attachment contains a malicious Microsoft Word Remote Template. When opened, the attachment contacts a command and control (C2) server which sends a secondary email containing a malicious RTF document with exploits for two Word vulnerabilities. These exploits will then execute a VBScript script that downloads and installs POWERSHOWER.
Remote templates are a feature of Microsoft Word which allow a document to load a template to be used in a document – this template can be externally hosted, either on a file share, or on the internet.
Once installed, POWERSHOWER will create registry entries to maintain persistence and ensure future PowerShell instances appear off-screen by default, before terminating Word processes and removing all files and registry entries associated with its installation. It will then send system information to the C2 server and await further instructions.
Affected Platforms
Microsoft Windows – All versions
Indicators of Compromise
Remote Template Documents where we have the matching payload
13de9678279b6ce6d81aeb32c0dd9f7458ad1f92aee17f3e052be9f06d473bed
d547773733abef19f2720d4def2356d62a532f64bcb002fb2b799e9ae39f805f
Remote templates analyzed.
687ee860fd5cd9902b441c26d72788d5a52052d03047a9b071808fc4c53a7e8b
72eb022f395cc15bbe9582ee02f977ea0692932461a8b0bd608d9f0971125999
PowerShower sample
8aef4975d9c51821c4fa8ee1cbfe9c1f4a88c8784427d467ea99b2c1dabe15ae
Other related templates and exploit documents from 2018
49dbcf1fc8d3381e495089f396727a959885c1dd2ab6cd202cf3c4dbd1d27c4f
8b212ee2d65c4da033c39aebaf59cc51ade45f32f4d91d1daa0bd367889f934d
cc64a68ba52283f6cf5521cf75567b3c5b5143f324d37c59906ee63f1bbafcaf
2bcb8a4ddc2150b25a44c292db870124c65687444f96e078f575da69bbf018e0
Infrastructure
51.255.139[.]194 Remote template host
188.165.62[.]40 Remote template host
200.122.128[.]208 POWERSHOWER C2
108.170.52[.]158 Remote template host
Inception uses a complex two stage spear phishing process to deliver POWERSHOWER. Initially, a reconnaissance email with a Microsoft Word attachment is sent to the user. This attachment contains a malicious Microsoft Word Remote Template. When opened, the attachment contacts a command and control (C2) server which sends a secondary email containing a malicious RTF document with exploits for two Word vulnerabilities. These exploits will then execute a VBScript script that downloads and installs POWERSHOWER.
Remote templates are a feature of Microsoft Word which allow a document to load a template to be used in a document – this template can be externally hosted, either on a file share, or on the internet.
Once installed, POWERSHOWER will create registry entries to maintain persistence and ensure future PowerShell instances appear off-screen by default, before terminating Word processes and removing all files and registry entries associated with its installation. It will then send system information to the C2 server and await further instructions.
Affected Platforms
Microsoft Windows – All versions
Indicators of Compromise
Remote Template Documents where we have the matching payload
13de9678279b6ce6d81aeb32c0dd9f7458ad1f92aee17f3e052be9f06d473bed
d547773733abef19f2720d4def2356d62a532f64bcb002fb2b799e9ae39f805f
Remote templates analyzed.
687ee860fd5cd9902b441c26d72788d5a52052d03047a9b071808fc4c53a7e8b
72eb022f395cc15bbe9582ee02f977ea0692932461a8b0bd608d9f0971125999
PowerShower sample
8aef4975d9c51821c4fa8ee1cbfe9c1f4a88c8784427d467ea99b2c1dabe15ae
Other related templates and exploit documents from 2018
49dbcf1fc8d3381e495089f396727a959885c1dd2ab6cd202cf3c4dbd1d27c4f
8b212ee2d65c4da033c39aebaf59cc51ade45f32f4d91d1daa0bd367889f934d
cc64a68ba52283f6cf5521cf75567b3c5b5143f324d37c59906ee63f1bbafcaf
2bcb8a4ddc2150b25a44c292db870124c65687444f96e078f575da69bbf018e0
Infrastructure
51.255.139[.]194 Remote template host
188.165.62[.]40 Remote template host
200.122.128[.]208 POWERSHOWER C2
108.170.52[.]158 Remote template host
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.